aspose file tools*
The moose likes Tomcat and the fly likes useHttpOnly flag is not working in 7.0.23 Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "useHttpOnly flag is not working in 7.0.23" Watch "useHttpOnly flag is not working in 7.0.23" New topic
Author

useHttpOnly flag is not working in 7.0.23

Mehar Hassan Raza
Greenhorn

Joined: May 20, 2014
Posts: 2
Our application went under security assessment and it was recommended by them to use HttpOnly and SSL encryption. Our tomcat version is 7.0.23

I googled about this and done the following settings recommended by most of the blogger

In conf/context.xml:



In conf/server.xml:



In WEB-INF/web.xml:



After doing these changes restarted the tomcat but there was no change. We are using burp tool to intercept browser sessions.

Regards
Aly
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41874
    
  63
Welcome to JavaRanch.

After doing these changes restarted the tomcat but there was no change. We are using burp tool to intercept browser sessions.

What does this tool show you (before and after) that leads you to believe there was no change?

I'd have thought that the obvious test would be to try to get at those cookies via JavaScript.


Ping & DNS - my free Android networking tools app
Mehar Hassan Raza
Greenhorn

Joined: May 20, 2014
Posts: 2
Ulf Dittmer wrote:Welcome to JavaRanch.

After doing these changes restarted the tomcat but there was no change. We are using burp tool to intercept browser sessions.

What does this tool show you (before and after) that leads you to believe there was no change?

I'd have thought that the obvious test would be to try to get at those cookies via JavaScript.



Security Analyst is saying, Burp tool is showing following information about client/server session

Cookie: JSESSIONID=0862B1AF10065D0B7B80FF2111DB45E2; BrowserLocale="en "

and it should show following

Cookie: JSESSIONID=0862B1AF10065D0B7B80FF2111DB45E2; BrowserLocale="en ";httponly;secure;

Regards
Aly
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16065
    
  21

You might want to read this: http://www.coderanch.com/forums/posts/preList/624164/2853715


Customer surveys are for companies who didn't pay proper attention to begin with.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: useHttpOnly flag is not working in 7.0.23